What's New: Livestream for Azure Sentinel is now released for General Availability
Published Jun 15 2020 07:34 AM 6,561 Views

What is Azure Sentinel Livestream? 


Livestream lets you run queries that refresh every 30 seconds and notifies you of any new results.  Creating a livestream enables you to (1) test newly created queries as events occur, (2) receive notifications from a session when a match is found, (3) promote a livestream to a detection rule to generate incidents in the future, (4) quickly launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.


How do I get started?


Create a livestream session:

In the Azure portal, navigate to Sentinel > Threat management > Hunting.

Select the Livestream tab.

Select “+ New livestream” to start a new livestream.






|where EventID == 4625


In this query we’re asking Azure Sentinel to stream all Windows login events in this workspace where the event ID = 4625 (that’s for when an account fails to log on). As you can see, we’re getting a lot of events here, and they’re being updated every 30 seconds by the live stream.


Quickly launch an investigation:

Quickly launch an investigation in the investigation graph directly from your livestream by selecting creating a bookmark directly from livestream.




Create a new detection:


If you detect there is a change in the threshold of your baseline environment activities as monitored by livestream, select the “Create analytics rule” to promote your livestream query to a detection analytic rule, enabling the generation of incidents so you are prepared to respond in the future.





Use hunting livestream in Azure Sentinel to detect threats



Quick wins  - Proactively identify signs of intrusions in real time with Azure Sentinel Livestream



Version history
Last update:
‎Jul 05 2020 03:58 AM
Updated by: